If you are using PHP to handle form input dataand let's face it, you probably will do so some day, if you are not alreadymake sure you do not make any assumptions about the reliability of the data. Remember, it came from users, and we don't trust users, do we?
If you are inserting form data into your database, try turning magic quotes on. Then turn it back off again once you realize it's evil, and switch to something like mysql_escape_string( ).
Users already have a hard enough time before they get in contact with your forms, so do not make them more complicated than they need to be. Split forms across pages if possible, keep selections to a minimum, lay options out neatly using HTML tables, and mark required fields clearly.
